RedAlert, or N13V as the group calls themselves, is a ransomware group that attacks both Windows and Linux VMWare ESXi servers using a human-operated encryptor. In other words, the threat actors must be inside your network and, based on the payload, must have admin rights on the machine to deploy the payload. The encryptor has various flag options to shut down VMs, perform recursive actions, and much more before encrypting data with the rarely seen NTRUEncrypt public key cryptosystem combined with ChaCha20. Some other ransomware that uses NTRUEncrypt is PolyVice from Vice Society and FiveHands ransomware.
The first submission to VirusTotal was July 5, 2022, and the first extortion was publicly reported around the same time. As such, the group probably began operations around that time before concluding operations at the end of the same calendar year. During operations, the group performed double extortion attacks and leaked data on their Darkweb domain. They claimed six victims, but a ransomware sample exposed another alleged victim for a total of 7. They demanded ransoms in Monero (XMR), a well-known privacy coin, totaling six figures in US dollars. To ensure they received their ransoms, they performed a variety of blackmail methodologies, including free data leaks, ransom discounts (or increases if not paid), DDoS attacks, and even calling the employees of their victims. To make matters worse, N13V is known to have ransomed nonprofit groups, including one that worked with individuals with disabilities.
Known Victims(7)
| Industry Sector | Country | Extortion Date | Amount (USD) |
|---|---|---|---|
| Real Estate & Housing | Austria | ||
| Construction & Architecture | Finland | ||
| Information Technology | France | ||
| Legal | United Kingdom | ||
| Hospitality | United States | ||
| Insurance | United States | ||
| Construction & Architecture | Spain |